<![CDATA[OpenVPN with Remote Access (SSL/TLS + User Auth) // Auth Certificate issue]]>Hi,

I have Install and configure OpenVPN on Pfsense with (SSL/TLS + User Auth).

Remote Access (SSL/TLS + User Auth)
Requires both certificates and username/password
Each user has a unique client configuration which includes their personal certificate and key
Most secure as there are multiple factors of authentication (TLS Key and Certificate that the user has, and the username/password they know)

Everything is working fine, but suppose I have two users, A and B. When I try to connect with the profile (file .ovpn) of user B using the credentials of user A, it works.
Additionally, when I remove the certificate of user A, for example, they can still connect to the VPN.
My goal is, to link each user two his certificate and .ovpn file and if I remove the user certificate of a specific user, the .ovpn file becomes obsolete.
Can you please help me understand and correct my configuration if needed?

Best regards."

BR.

]]>https://forum.netgate.com/topic/185323/openvpn-with-remote-access-ssl-tls-user-auth-auth-certificate-issueRSS for NodeThu, 18 Jun 2026 05:32:14 GMTThu, 04 Jan 2024 17:00:56 GMT60<![CDATA[Reply to OpenVPN with Remote Access (SSL/TLS + User Auth) // Auth Certificate issue on Thu, 04 Jan 2024 18:44:41 GMT]]>@Diablo666-0 said in OpenVPN with Remote Access (SSL/TLS + User Auth) // Auth Certificate issue:

Everything is working fine, but suppose I have two users, A and B. When I try to connect with the profile (file .ovpn) of user B using the credentials of user A, it works.

To avoid this, go to the server settings and check "Strict User-CN Matching" in the "Cryptographic Settings" section.
Ensure that the CN in the client certificate matches the username.

Additionally, when I remove the certificate of user A, for example, they can still connect to the VPN.

Removing a valid client certificate is a bad idea at all. This cannot prohibit that the OpenVPN server is accepting it, because the server only verifies that the delivered client certificate is singed by the CA in use.
To reject a client certificate you have to revoke it instead.

Maybe you need to create a revocation list first (System > Certificates > Revocation) and add it the the OpenVPN server then.

You may remove a certificate after its expiration though.

]]>https://forum.netgate.com/post/1146222https://forum.netgate.com/post/1146222Thu, 04 Jan 2024 18:44:41 GMT